| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20131106130432.GK14235@thunk.org> Date: Wed, 6 Nov 2013 08:04:32 -0500 From: Theodore Ts'o <tytso@....edu> To: Stephan Mueller <smueller@...onox.de> Cc: Pavel Machek <pavel@....cz>, sandy harris <sandyinchina@...il.com>, linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org, Nicholas Mc Guire <der.herr@...r.at> Subject: Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random On Wed, Nov 06, 2013 at 01:51:17PM +0100, Stephan Mueller wrote: > >That's unfortunate, since it leaves open the question of whether this > >jitter is something that could be at least somewhat predictable if you > >had a lot more information about the internal works of the CPU or > >not.... > > I do not understand that answer: I thought we are talking about the > search of non-predictable noise sources. If you cannot predict the > sequence even if you have the state of the CPU, that is what we are > looking for, is it not? I was asking the question about whether someone who knew more about the internal _workings_ of the CPU, note of the state of the CPU. This is not necessarily "the NSA guy", but someone who knows more about the internal workings of the Intel CPU (such as an Intel engineer --- and I've had Intel express misgivings about approaches which depend on "CPU jitter" approaches), or just someone who has spent a lot more time trying to examine the black box of the Intel CPU from the outside. I remember making my own home-grown encryption algorithm before I entered college, secure in my arrogance that I had created something so complicated that no one could crack it. Of course, as I got older and wiser, I realized that it just meant it was just something *I* couldn't yet anaylze and crack. The argument "the internal state of the CPU is sooooo large, and the state transitions ar sooooo complex that it *must* be unpredictable, because *I* can't predict them" seems to be a very similar mistake that I made many years ago when I was in high school. Of course, some of the state in the CPU may not be unknown to the attacker, if it is derived by external events that are not visible to the attacker, such as a network interrupt. But if that's the case, why not measure network interrupts directly? We're much less likely to overestimate the amount of entropy we can extract the system in that case. > Also, does your answer mean you would disregard radioactive decay that > is not predictable due to quantum physics and Heisenberg? No, because that's uncertainty that we can tie to a physical source. My concern about CPU state is that we haven't yet tied that to a physical source of entropy, or to exactly what external inputs that are not available to an external attacker. We know that quantum events are not predictable. We also know that digital circuits in general are very carefully designed to *be* predictable. Regards, - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists